RST Cloud - Threat Feed API

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This is the RST Threat Feed integration for interacting with API This integration was integrated and tested with RST Cloud - Threat Feed API v1

Please contact the RST Cloud team via email support@rstcloud.net to obtain a key and ask any questions you have. Also, the following contact details can be used:

Each indicator is ranked from 0 to 100. Indicators are being collected from multiple sources and are cross-verified using multiple criteria. Please check indicator tags and malware family fields. An indicator may describe a known malware or a scanning host. Therefore, different actions may be required based on the context.

Configure RST Cloud - Threat Feed API on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for RST Cloud - Threat Feed API.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g. https://api.rstcloud.net/v1)True
    API KeyTrue
    Score threshold for IP reputation commandSet this to determine the RST Threat Feed score that will determine if an IP is malicious (0-100)True
    Score threshold for domain reputation commandSet this to determine the RST Threat Feed score that will determine if a domain is malicious (0-100)True
    Score threshold for url reputation commandSet this to determine the RST Threat Feed score that will determine if a url is malicious (0-100)True
    IP Indicator Expiration (days)Mark IP indicators older than indicator_expiration_ip value in days as Suspicious ignoring the last available scoreTrue
    Domain Indicator Expiration (days)Mark domain indicators older than indicator_expiration_domain value in days as Suspicious ignoring the last available scoreTrue
    URL Indicator Expiration (days)Mark URL indicators older than indicator_expiration_url value in days as Suspicious ignoring the last available scoreTrue
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Returns IP information and reputation.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Required
thresholdIf the IP has reputation above the threshold then the IP defined as malicious. If threshold not set, then threshold from instance configuration is used. Default is 45.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested
DBotScore.ScoreNumberThe actual score
DBotScore.TypeStringThe indicator type
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressStringIP address.
IP.Geo.CountryStringCountry of origin.
IP.TagsStringThe associated tags
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.Malicious.ScoreStringThe score calculated for the indicator by the vendor
RST.IP.AddressStringThe actual IP address.
RST.IP.Geo.CountryStringThe country name
RST.IP.Geo.RegionStringThe geo region name
RST.IP.Geo.CityStringThe city name
RST.IP.ASNStringThe autonomous system name for the IP address.
RST.IP.OrganizationStringThe organisation name for the autonomous system name for the IP address.
RST.IP.ISPStringThe Internet Service Provider name for the autonomous system name for the IP address.
RST.IP.CloudHostingStringThe Cloud Provider name for the IP address.
RST.IP.NumberOfDomainInASNStringThe number of domain names for the IP address.
RST.IP.FirstSeenDateFirst Seen
RST.IP.LastSeenDateLast Seen
RST.IP.TagsStringThe associated tags
RST.IP.ThreatStringThe associated Malware Family or threat name
RST.IP.ScoreNumberThe total score
RST.IP.UUIDStringThe unique ID for the indicator
RST.IP.RSTReferenceStringThe link to the raw JSON indicator
RST.IP.RelatedStringThe associated domains
RST.IP.FalsePositiveStringtrue if it is likely a False Positive
RST.IP.FalsePositiveDescStringDescription why we think it may be a False Positive

Command Example#

!ip ip=1.32.54.12 threshold=50

Context Example#

{
"DBotScore": {
"Indicator": "1.32.54.12",
"Score": 2,
"Type": "ip",
"Vendor": "RST Cloud"
},
"IP": {
"ASN": "4788",
"Address": "1.32.54.12",
"Geo": {
"Country": "Malaysia"
},
"Tags": [
"c2",
"generic"
]
},
"RST": {
"IP": {
"ASN": "4788",
"Address": "1.32.54.12",
"CloudHosting": "",
"FalsePositive": "false",
"FalsePositiveDesc": "",
"FirstSeen": "2019-12-05T00:00:00.000Z",
"Geo": {
"city": "Batang Kali",
"country": "Malaysia",
"region": "Selangor"
},
"ISP": "TMNETASAP",
"LastSeen": "2021-01-26T00:00:00.000Z",
"NumberOfDomainInASN": "9615",
"Organization": "TM Net Internet Service Provider",
"RSTReference": "https://rstcloud.net/uuid?id=8f10a17d-9931-3329-b97f-db3953c093e2",
"Related": [],
"Score": "3",
"Tags": [
"c2",
"generic"
],
"Threat": [
"emotet"
],
"Type": "IP",
"UUID": "8f10a17d-9931-3329-b97f-db3953c093e2"
}
}
}

Human Readable Output#

RST Threat Feed IP Reputation for: 1.32.54.12#

DescriptionLast SeenRelevanceScoreTagsThreat
Ioc with tags: c2, generic. related threats: emotet
2021-01-26Suspicious3c2, genericemotet

domain#


Returns Domain information and reputation.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainList of Domains.Required
thresholdIf the domain has reputation above the threshold then the domain defined as malicious. If threshold not set, then threshold from instance configuration is used. Default is 45.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
Domain.NameStringThe domain name.
Domain.TagsStringThe associated tags
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.
Domain.Malicious.ScoreStringThe score calculated for the indicator by the vendor
RST.Domain.NameStringThe domain name.
RST.Domain.WhoisAgeNumberDays since creation
RST.Domain.WhoisDomainCreationDateDateCreation date. Format is ISO8601.
RST.Domain.WhoisDomainUpdateDateDateUpdate date. Format is ISO8601.
RST.Domain.WhoisDomainExpireDateDateExpiration date. Format is ISO8601.
RST.Domain.WhoisRegistrarStringDomain Registrar
RST.Domain.WhoisRegistrantStringDomain Registrant
RST.Domain.FirstSeenDateFirst Seen
RST.Domain.LastSeenDateLast Seen
RST.Domain.TagsStringThe associated tags
RST.Domain.ThreatStringThe associated Malware Family or threat name
RST.Domain.ScoreNumberThe total score
RST.Domain.UUIDStringThe unique ID for the indicator
RST.Domain.RSTReferenceStringThe link to the raw JSON indicator
RST.Domain.RelatedStringThe associated IP addresses
RST.Domain.FalsePositiveStringtrue if it is likely a False Positive
RST.Domain.FalsePositiveDescStringDescription why we think it may be a False Positive

Command Example#

!domain domain="02.xn--kprv2p5ncce060cgo9d.cc" threshold=40

Context Example#

{
"DBotScore": {
"Indicator": "02.xn--kprv2p5ncce060cgo9d.cc",
"Score": 2,
"Type": "domain",
"Vendor": "RST Cloud"
},
"Domain": {
"Name": "02.xn--kprv2p5ncce060cgo9d.cc",
"Tags": [
"malware"
]
},
"RST": {
"Domain": {
"FalsePositive": "true",
"FalsePositiveDesc": "Domain not resolved. Whois records not found",
"FirstSeen": "2020-06-26T00:00:00.000Z",
"LastSeen": "2021-01-25T00:00:00.000Z",
"Name": "02.xn--kprv2p5ncce060cgo9d.cc",
"RSTReference": "https://rstcloud.net/uuid?id=552fdbe7-7265-3a9d-b364-83426d1c2dbc",
"Related": {
"a": [],
"alias": [],
"cname": []
},
"Score": "10",
"Tags": [
"malware"
],
"Threat": [],
"Type": "Domain",
"UUID": "552fdbe7-7265-3a9d-b364-83426d1c2dbc",
"WhoisAge": "",
"WhoisDomainCreationDate": "",
"WhoisDomainExpireDate": "",
"WhoisDomainUpdateDate": "",
"WhoisRegistrant": "",
"WhoisRegistrar": ""
}
}
}

Human Readable Output#

RST Threat Feed Domain Reputation for: 02.xn--kprv2p5ncce060cgo9d.cc#

DescriptionLast SeenRelevance:ScoreTags
Ioc with tags: malware
2021-01-25Suspicious10malware

url#


Returns URL information and reputation.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlList of URLs.Required
thresholdIf the URL has reputation above the threshold then the domain defined as malicious. If threshold not set, then threshold from instance configuration is used. Default is 30.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested
DBotScore.ScoreNumberThe actual score
DBotScore.TypeStringThe indicator type
DBotScore.VendorStringThe vendor used to calculate the score
URL.DataStringThe URL
URL.TagsStringThe associated tags
URL.Malicious.VendorStringThe vendor reporting the URL as malicious
URL.Malicious.DescriptionStringA description explaining why the URL was reported as malicious
URL.Malicious.ScoreStringThe score calculated for the URL indicator by the vendor
RST.URL.DataStringThe URL
RST.URL.StatusStringLast HTTP status code
RST.URL.FirstSeenDateFirst Seen
RST.URL.LastSeenDateLast Seen
RST.URL.TagsStringThe associated tags
RST.URL.ThreatStringThe associated Malware Family or threat name
RST.URL.ScoreNumberThe total score
RST.URL.UUIDStringThe unique ID for the indicator
RST.URL.DescriptionStringThe associated Description provided by the vendor
RST.URL.FalsePositiveStringtrue if it is likely a False Positive
RST.URL.FalsePositiveDescStringDescription why we think it may be a False Positive
RST.URL.ParsedStringParsed URL components
RST.URL.CVEStringRelated CVE (vulnerabilities)

Command Example#

!url url="https://cwa.mx/himalaya/ziqqbxu4f7cwsordfxkihmhwfcc"threshold=30

Context Example#

{
"DBotScore": {
"Indicator": "https://cwa.mx/himalaya/ziqqbxu4f7cwsordfxkihmhwfcc",
"Score": 2,
"Type": "url",
"Vendor": "RST Cloud"
},
"RST": {
"URL": {
"CVE": [],
"Data": "https://cwa.mx/himalaya/ziqqbxu4f7cwsordfxkihmhwfcc",
"FalsePositive": "true",
"FalsePositiveDesc": "Resource unavailable",
"FirstSeen": "2021-01-05T00:00:00.000Z",
"LastSeen": "2021-01-26T00:00:00.000Z",
"Parsed": {
"anchor": null,
"domain": "cwa.mx",
"params": null,
"path": "/himalaya/ziqqbxu4f7cwsordfxkihmhwfcc",
"port": "443",
"schema": "https"
},
"RSTReference": "https://rstcloud.net/uuid?id=f64f7a99-068b-3fec-b572-598f9d11d4d6",
"Score": "14",
"Status": "503",
"Tags": [
"malware"
],
"Threat": [
"emotet"
],
"Type": "URL",
"UUID": "f64f7a99-068b-3fec-b572-598f9d11d4d6"
}
},
"URL": {
"Data": "https://cwa.mx/himalaya/ziqqbxu4f7cwsordfxkihmhwfcc",
"Tags": [
"malware"
]
}
}

Human Readable Output#

RST Threat Feed URL Reputation for: https://cwa.mx/himalaya/ziqqbxu4f7cwsordfxkihmhwfcc#

DescriptionLast SeenRelevanceScoreTagsThreat
Ioc with tags: malware. related threats: emotet
2021-01-26Suspicious14malwareemotet

rst-submit-new#


Submits an indicator to RST Threat Feed.

Base Command#

rst-submit-new

Input#

Argument NameDescriptionRequired
iocList of IOCs (URLs, domains or IPs).Required
descriptionAny context to pass to RST Cloud.Optional

Context Output#

There is no context output for this command.

Command Example#

!rst-submit-new ioc="thisisamaliciouswebsite.com" description="a user downloaded a trojan"

Human Readable Output#

Indicator: thisisamaliciouswebsite.com was submitted as a potential threat indicator to RST Cloud

rst-submit-fp#


Submits a potential False Positive to RST Threat Feed.

Base Command#

rst-submit-fp

Input#

Argument NameDescriptionRequired
iocList of IOCs (URLs, domains or IPs).Required
descriptionAny context to pass to RST Cloud.Optional

Context Output#

There is no context output for this command.

Command Example#

!rst-submit-fp ioc="thisisnotamaliciousdomain.com" description="a decent website"

Human Readable Output#

Indicator: thisisnotamaliciousdomain.com was submitted as False Positive to RST Cloud